archive
/
windows-xp
mirror of https://github.com/tongzx/nt5src
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
8 Commits
1 Branch
0 Tags
2.0 GiB
Tree: 744f0b4006
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '744f0b4006'
${ noResults }
windows-xp/Source/XPSP1/NT/termsrv/syslib/security.c

1121 lines
30 KiB
Raw Normal View History

Add source files
4 years ago
  1. /*************************************************************************
  2. *
  3. * security.c
  4. *
  5. * NT Security routines
  6. *
  7. * copyright notice: Copyright 1997, Microsoft
  8. *
  9. *************************************************************************/
  11. #include <nt.h>
  12. #include <ntrtl.h>
  13. #include <nturtl.h>
  14. #include <ntexapi.h>
  15. #include <ntseapi.h>
  16. #include <stdlib.h>
  17. #include <stdio.h>
  18. #include <malloc.h>
  19. #include <windows.h>
  20. #include <string.h>
  21. #include <wcstr.h>
  22. #include "seopaque.h"
  23. #include "sertlp.h"
  25. #include <process.h>
  27. #include <winsta.h>
  28. #include <syslib.h>
  29. #include <lmcons.h> // for DNLEN KLB 09-18-96
  31. #include "security.h"
  33. #if DBG
  34. ULONG
  35. DbgPrint(
  36. PCH Format,
  37. ...
  38. );
  39. #define DBGPRINT(x) DbgPrint x
  40. #if DBGTRACE
  41. #define TRACE0(x) DbgPrint x
  42. #define TRACE1(x) DbgPrint x
  43. #else
  44. #define TRACE0(x)
  45. #define TRACE1(x)
  46. #endif
  47. #else
  48. #define DBGPRINT(x)
  49. #define TRACE0(x)
  50. #define TRACE1(x)
  51. #endif
  53. typedef struct _SIDLIST {
  54. struct _SIDLIST *Next;
  55. USHORT SidCrc;
  56. PWCHAR pAccountName;
  57. PWCHAR pDomainName;
  58. } SIDLIST, *PSIDLIST;
  60. static PSIDLIST SidCache = NULL;
  62. // Computer Name
  63. WCHAR ComputerName[MAX_COMPUTERNAME_LENGTH+1];
  65. // Admins only ACL
  66. PACL pAdminsOnlyAcl = NULL;
  67. DWORD AdminsOnlyAclSize = 0;
  69. //
  70. // Universal well known SIDs
  71. //
  73. PSID SeNullSid;
  74. PSID SeWorldSid;
  75. PSID SeLocalSid;
  76. PSID SeCreatorOwnerSid;
  77. PSID SeCreatorGroupSid;
  79. //
  80. // Sids defined by NT
  81. //
  83. PSID SeNtAuthoritySid;
  84. PSID SeDialupSid;
  85. PSID SeNetworkSid;
  86. PSID SeBatchSid;
  87. PSID SeInteractiveSid;
  88. PSID SeServiceSid;
  89. PSID SeLocalGuestSid;
  90. PSID SeLocalSystemSid;
  91. PSID SeLocalAdminSid;
  92. PSID SeLocalManagerSid;
  93. PSID SeAliasAdminsSid;
  94. PSID SeAliasUsersSid;
  95. PSID SeAliasGuestsSid;
  96. PSID SeAliasPowerUsersSid;
  97. PSID SeAliasAccountOpsSid;
  98. PSID SeAliasSystemOpsSid;
  99. PSID SeAliasPrintOpsSid;
  100. PSID SeAliasBackupOpsSid;
  101. PSID SeAliasReplicatorSid;
  103. static SID_IDENTIFIER_AUTHORITY SepNullSidAuthority = SECURITY_NULL_SID_AUTHORITY;
  104. static SID_IDENTIFIER_AUTHORITY SepWorldSidAuthority = SECURITY_WORLD_SID_AUTHORITY;
  105. static SID_IDENTIFIER_AUTHORITY SepLocalSidAuthority = SECURITY_LOCAL_SID_AUTHORITY;
  106. static SID_IDENTIFIER_AUTHORITY SepCreatorSidAuthority = SECURITY_CREATOR_SID_AUTHORITY;
  107. static SID_IDENTIFIER_AUTHORITY SepNtAuthority = SECURITY_NT_AUTHORITY;
  109. //
  110. // Sid of primary domain, and admin account in that domain
  111. //
  113. PSID SepPrimaryDomainSid;
  114. PSID SepPrimaryDomainAdminSid;
  117. // External data
  118. extern ADMIN_ACCOUNTS AllowAccounts[];
  119. extern DWORD AllowAccountEntries;
  120. extern ACCESS_MASK AllowAccess;
  122. extern ADMIN_ACCOUNTS DenyAccounts[];
  123. extern DWORD DenyAccountEntries;
  124. extern ACCESS_MASK DeniedAccess;
  127. // Forward and external references
  129. BOOLEAN
  130. InitializeBuiltinSids();
  132. BOOL
  133. LoadAccountSids();
  135. BOOL
  136. BuildSecureAcl();
  138. BOOL
  139. xxxLookupBuiltinAccount(
  140. PWCHAR pSystemName,
  141. PWCHAR pAccountName,
  142. PSID *ppSid
  143. );
  145. BOOL
  146. GetCurrentUserSid( PSID *ppSid );
  149. /*****************************************************************************
  150. *
  151. * InitSecurity
  152. *
  153. * Initialize the security package
  154. *
  155. * ENTRY:
  156. * Param1 (input/output)
  157. * Comments
  158. *
  159. * EXIT:
  160. * TRUE - no error
  161. * FALSE - error
  162. *
  163. ****************************************************************************/
  165. BOOL
  166. InitSecurity(
  167. )
  168. {
  169. BOOL rc;
  170. DWORD Size = sizeof(ComputerName)/sizeof(WCHAR);
  172. rc = GetComputerNameW( ComputerName, &Size );
  173. if( !rc ) {
  174. DBGPRINT(("***ERROR*** %d Could not get computer name\n",GetLastError() ));
  175. return( FALSE );
  176. }
  178. rc = InitializeBuiltinSids();
  179. if( !rc ) {
  180. DBGPRINT(("***ERROR*** Some built-in accounts not loaded\n"));
  181. return( FALSE );
  182. }
  184. rc = LoadAccountSids();
  185. if( !rc ) {
  186. DBGPRINT(("***ERROR*** Some accounts not loaded\n"));
  187. return( FALSE );
  188. }
  190. rc = BuildSecureAcl();
  191. if( !rc ) {
  192. DBGPRINT(("***ERROR*** Could not build ACL\n"));
  193. return( FALSE );
  194. }
  196. return( TRUE );
  197. }
  199. /*****************************************************************************
  200. *
  201. * LoadAccountSids
  202. *
  203. * Load the list of account access SIDS.
  204. *
  205. *
  206. * ENTRY:
  207. * Param1 (input/output)
  208. * Comments
  209. *
  210. * EXIT:
  211. * STATUS_SUCCESS - no error
  212. *
  213. ****************************************************************************/
  215. BOOL
  216. LoadAccountSids()
  217. {
  218. BOOL rc, Final;
  219. NTSTATUS Status;
  220. SID_IDENTIFIER_AUTHORITY gSystemSidAuthority = SECURITY_NT_AUTHORITY;
  223. Final = TRUE;
  225. //
  226. // Get the SID's for all of the allow accounts
  227. //
  229. //
  230. // Get the SID of the built-in Administrators group
  231. //
  233. Status = RtlAllocateAndInitializeSid(
  234. &gSystemSidAuthority,
  235. 2,
  236. SECURITY_BUILTIN_DOMAIN_RID,
  237. DOMAIN_ALIAS_RID_ADMINS,
  238. 0,0,0,0,0,0,
  239. &(AllowAccounts[ADMIN_ACCOUNT].pSid));
  240. if (!NT_SUCCESS(Status)) {
  241. DBGPRINT(("SYSLIB: Couldn't allocate Administrators SID (0x%x)\n", Status ));
  242. Final = FALSE;
  243. }
  245. //
  246. // SYSTEM
  247. //
  249. Status = RtlAllocateAndInitializeSid(
  250. &gSystemSidAuthority,
  251. 1,
  252. SECURITY_LOCAL_SYSTEM_RID,
  253. 0,0,0,0,0,0,0,
  254. &(AllowAccounts[SYSTEM_ACCOUNT].pSid));
  255. if (!NT_SUCCESS(Status)) {
  256. DBGPRINT(("SYSLIB: Couldn't allocate SYSTEM SID (0x%x)\n", Status ));
  257. Final = FALSE;
  258. }
  260. //
  261. // Get the current user's Sid
  262. //
  263. rc = xxxLookupAccountName(
  264. ComputerName,
  265. CURRENT_USER,
  266. &(AllowAccounts[USER_ACCOUNT].pSid)
  267. );
  269. if ( !rc ) {
  270. // It might be a special builtin account
  271. rc = xxxLookupBuiltinAccount(
  272. ComputerName,
  273. CURRENT_USER,
  274. &(AllowAccounts[USER_ACCOUNT].pSid)
  275. );
  277. if( !rc ) {
  278. DBGPRINT(("***WARNING*** Could not find SID for current user account, Error %d\n", GetLastError() ));
  279. Final = FALSE;
  280. }
  281. }
  283. #ifdef notdef
  284. //
  285. // Lookup the SID's for all of the deny accounts
  286. //
  288. for( Index = 0; Index < DenyAccountEntries; Index++ ) {
  290. p = &DenyAccounts[Index];
  292. rc = xxxLookupAccountName(
  293. ComputerName,
  294. p->Name,
  295. &p->pSid
  296. );
  298. if( !rc ) {
  299. // It might be a special builtin account
  300. rc = xxxLookupBuiltinAccount(
  301. ComputerName,
  302. p->Name,
  303. &p->pSid
  304. );
  306. if( !rc ) {
  307. DBGPRINT(("***WARNING*** Could not find SID for account %ws Error %d\n",p->Name,GetLastError() ));
  308. Final = FALSE;
  309. }
  310. }
  311. }
  312. #endif
  314. // Lower level function outputs if any accounts are invalid
  316. return( Final );
  317. }
  319. /*****************************************************************************
  320. *
  321. * IsAllowSid
  322. *
  323. * Returns whether the supplied SID is in the allow group
  324. *
  325. *
  326. * ENTRY:
  327. * Param1 (input/output)
  328. * Comments
  329. *
  330. * EXIT:
  331. * STATUS_SUCCESS - no error
  332. *
  333. ****************************************************************************/
  335. BOOL
  336. IsAllowSid(
  337. PSID pSid
  338. )
  339. {
  340. DWORD Index;
  341. PADMIN_ACCOUNTS p;
  342. BOOL AllowSid = FALSE;
  344. for( Index = 0; Index < AllowAccountEntries; Index++ ) {
  346. p = &AllowAccounts[Index];
  348. if( p->pSid && EqualSid( pSid, p->pSid ) ) {
  349. // The Sid is for an allowed account
  350. AllowSid = TRUE;
  351. break;
  352. }
  353. }
  355. return( AllowSid );
  356. }
  359. /*****************************************************************************
  360. *
  361. * xxxLookupAccountName
  362. *
  363. * Wrapper to lookup the SID for a given account name
  364. *
  365. * Returns a pointer to the SID in newly allocated memory
  366. *
  367. * ENTRY:
  368. * Param1 (input/output)
  369. * Comments
  370. *
  371. * EXIT:
  372. * STATUS_SUCCESS - no error
  373. *
  374. ****************************************************************************/
  376. BOOL
  377. xxxLookupAccountName(
  378. PWCHAR pSystemName,
  379. PWCHAR pAccountName,
  380. PSID *ppSid
  381. )
  382. {
  383. BOOL rc;
  384. DWORD Size, DomainSize, Error;
  385. SID_NAME_USE Type;
  386. PWCHAR pDomain = NULL;
  387. PSID pSid = NULL;
  388. WCHAR Buf;
  389. WCHAR pCurrentUser[MAX_ACCOUNT_NAME]; // KLB 09-16-96
  390. DWORD dwCurrentUser = MAX_ACCOUNT_NAME; // KLB 09-16-96
  391. WCHAR pAccountToLookup[MAX_ACCOUNT_NAME+DNLEN+1]; // KLB 09-18-96
  392. LPWSTR pLogon32DomainName = NULL; // KLB 09-19-96
  393. WINSTATIONINFORMATION WinInfo; // KLB 09-30-96
  394. ULONG ReturnLength; // KLB 09-30-96
  396. Size = 0;
  397. DomainSize = 0;
  399. /*
  400. * Open the WinStation and Query its information.
  401. */
  402. memset( &WinInfo, 0, sizeof(WINSTATIONINFORMATION) );
  403. rc = WinStationQueryInformation( SERVERNAME_CURRENT,
  404. LOGONID_CURRENT,
  405. WinStationInformation,
  406. (PVOID)&WinInfo,
  407. sizeof(WINSTATIONINFORMATION),
  408. &ReturnLength );
  409. if ( !rc ) {
  410. DBGPRINT(("error querying winstation information %d.\n", GetLastError() ));
  411. return( FALSE );
  412. }
  413. if( ReturnLength != sizeof(WINSTATIONINFORMATION) ) {
  414. DBGPRINT(("winstation info version mismatch!\n"));
  415. return( FALSE );
  416. }
  418. if (lstrcmpi(pAccountName,CURRENT_USER) == 0) {
  419. lstrcpy( pAccountToLookup, WinInfo.Domain );
  420. lstrcat( pAccountToLookup, L"\\" );
  421. lstrcat( pAccountToLookup, WinInfo.UserName );
  422. } else {
  423. lstrcpy( pAccountToLookup, pAccountName );
  424. }
  425. DBGPRINT(( "looking up account %ws\n", pAccountToLookup ));
  427. rc = LookupAccountNameW(
  428. pSystemName,
  429. pAccountToLookup, // KLB 09-16-96
  430. &Buf, // pSid
  431. &Size,
  432. &Buf, // pDomain
  433. &DomainSize,
  434. &Type
  435. );
  437. if( rc ) {
  438. DBGPRINT(("Internal error on account name %ws\n",pAccountToLookup));
  439. return( FALSE );
  440. }
  441. else {
  442. Error = GetLastError();
  443. if( Error != ERROR_INSUFFICIENT_BUFFER ) {
  444. DBGPRINT(("***ERROR*** %d looking up SID for account name %ws skipped without processing!\n",Error,pAccountToLookup));
  445. return( FALSE );
  446. }
  448. pSid = LocalAlloc( LMEM_FIXED, Size );
  449. if( pSid == NULL ) {
  450. DBGPRINT(("***ERROR*** Out of memory, skipped account %ws without processing!\n",pAccountToLookup));
  451. return( FALSE );
  452. }
  454. pDomain = LocalAlloc( LMEM_FIXED, DomainSize*sizeof(WCHAR) );
  455. if( pDomain == NULL ) {
  456. DBGPRINT(("***ERROR*** Out of memory, skipped account %ws without processing!\n",pAccountToLookup));
  457. LocalFree( pSid );
  458. return( FALSE );
  459. }
  461. rc = LookupAccountNameW(
  462. pSystemName,
  463. pAccountToLookup,
  464. pSid,
  465. &Size,
  466. pDomain,
  467. &DomainSize,
  468. &Type
  469. );
  471. if( !rc ) {
  472. DBGPRINT(("***ERROR*** %d looking up SID for account name %ws skipped without processing!\n",Error,pAccountToLookup));
  473. LocalFree( pSid );
  474. LocalFree( pDomain );
  475. return( FALSE );
  476. }
  478. *ppSid = pSid;
  480. LocalFree( pDomain );
  481. DBGPRINT(( "leaving xxxLookupAccountName(); pSid is okay, returning TRUE.\n" ));
  482. return( TRUE );
  483. }
  484. }
  486. /*****************************************************************************
  487. *
  488. * InitializeBuiltinSids
  489. *
  490. * Initialize the built in SIDS
  491. *
  492. * ENTRY:
  493. * Param1 (input/output)
  494. * Comments
  495. *
  496. * EXIT:
  497. * STATUS_SUCCESS - no error
  498. *
  499. ****************************************************************************/
  501. BOOLEAN
  502. InitializeBuiltinSids()
  503. {
  505. ULONG SidWithZeroSubAuthorities;
  506. ULONG SidWithOneSubAuthority;
  507. ULONG SidWithTwoSubAuthorities;
  508. ULONG SidWithThreeSubAuthorities;
  510. SID_IDENTIFIER_AUTHORITY NullSidAuthority;
  511. SID_IDENTIFIER_AUTHORITY WorldSidAuthority;
  512. SID_IDENTIFIER_AUTHORITY LocalSidAuthority;
  513. SID_IDENTIFIER_AUTHORITY CreatorSidAuthority;
  514. SID_IDENTIFIER_AUTHORITY SeNtAuthority;
  516. NullSidAuthority = SepNullSidAuthority;
  517. WorldSidAuthority = SepWorldSidAuthority;
  518. LocalSidAuthority = SepLocalSidAuthority;
  519. CreatorSidAuthority = SepCreatorSidAuthority;
  520. SeNtAuthority = SepNtAuthority;
  522. //
  523. // The following SID sizes need to be allocated
  524. //
  526. SidWithZeroSubAuthorities = RtlLengthRequiredSid( 0 );
  527. SidWithOneSubAuthority = RtlLengthRequiredSid( 1 );
  528. SidWithTwoSubAuthorities = RtlLengthRequiredSid( 2 );
  529. SidWithThreeSubAuthorities = RtlLengthRequiredSid( 3 );
  531. //
  532. // Allocate and initialize the universal SIDs
  533. //
  535. SeNullSid = (PSID)RtlAllocateHeap(RtlProcessHeap(), 0, SidWithOneSubAuthority);
  536. SeWorldSid = (PSID)RtlAllocateHeap(RtlProcessHeap(), 0, SidWithOneSubAuthority);
  537. SeLocalSid = (PSID)RtlAllocateHeap(RtlProcessHeap(), 0, SidWithOneSubAuthority);
  538. SeCreatorOwnerSid = (PSID)RtlAllocateHeap(RtlProcessHeap(), 0, SidWithOneSubAuthority);
  539. SeCreatorGroupSid = (PSID)RtlAllocateHeap(RtlProcessHeap(), 0, SidWithOneSubAuthority);
  541. //
  542. // Fail initialization if we didn't get enough memory for the universal
  543. // SIDs.
  544. //
  546. if ( (SeNullSid == NULL) ||
  547. (SeWorldSid == NULL) ||
  548. (SeLocalSid == NULL) ||
  549. (SeCreatorOwnerSid == NULL) ||
  550. (SeCreatorGroupSid == NULL)
  551. ) {
  553. return( FALSE );
  554. }
  556. RtlInitializeSid( SeNullSid, &NullSidAuthority, 1 );
  557. RtlInitializeSid( SeWorldSid, &WorldSidAuthority, 1 );
  558. RtlInitializeSid( SeLocalSid, &LocalSidAuthority, 1 );
  559. RtlInitializeSid( SeCreatorOwnerSid, &CreatorSidAuthority, 1 );
  560. RtlInitializeSid( SeCreatorGroupSid, &CreatorSidAuthority, 1 );
  562. *(RtlSubAuthoritySid( SeNullSid, 0 )) = SECURITY_NULL_RID;
  563. *(RtlSubAuthoritySid( SeWorldSid, 0 )) = SECURITY_WORLD_RID;
  564. *(RtlSubAuthoritySid( SeLocalSid, 0 )) = SECURITY_LOCAL_RID;
  565. *(RtlSubAuthoritySid( SeCreatorOwnerSid, 0 )) = SECURITY_CREATOR_OWNER_RID;
  566. *(RtlSubAuthoritySid( SeCreatorGroupSid, 0 )) = SECURITY_CREATOR_GROUP_RID;
  568. //
  569. // Allocate and initialize the NT defined SIDs
  570. //
  572. SeNtAuthoritySid = (PSID)RtlAllocateHeap(RtlProcessHeap(), 0, SidWithZeroSubAuthorities);
  573. SeDialupSid = (PSID)RtlAllocateHeap(RtlProcessHeap(), 0, SidWithOneSubAuthority);
  574. SeNetworkSid = (PSID)RtlAllocateHeap(RtlProcessHeap(), 0, SidWithOneSubAuthority);
  575. SeBatchSid = (PSID)RtlAllocateHeap(RtlProcessHeap(), 0, SidWithOneSubAuthority);
  576. SeInteractiveSid = (PSID)RtlAllocateHeap(RtlProcessHeap(), 0, SidWithOneSubAuthority);
  577. SeServiceSid = (PSID)RtlAllocateHeap(RtlProcessHeap(), 0, SidWithOneSubAuthority);
  578. SeLocalGuestSid = (PSID)RtlAllocateHeap(RtlProcessHeap(), 0, SidWithOneSubAuthority);
  579. SeLocalSystemSid = (PSID)RtlAllocateHeap(RtlProcessHeap(), 0, SidWithOneSubAuthority);
  580. SeLocalAdminSid = (PSID)RtlAllocateHeap(RtlProcessHeap(), 0, SidWithOneSubAuthority);
  581. SeLocalManagerSid = (PSID)RtlAllocateHeap(RtlProcessHeap(), 0, SidWithOneSubAuthority);
  583. SeAliasAdminsSid = (PSID)RtlAllocateHeap(RtlProcessHeap(), 0, SidWithTwoSubAuthorities);
  584. SeAliasUsersSid = (PSID)RtlAllocateHeap(RtlProcessHeap(), 0, SidWithTwoSubAuthorities);
  585. SeAliasGuestsSid = (PSID)RtlAllocateHeap(RtlProcessHeap(), 0, SidWithTwoSubAuthorities);
  586. SeAliasPowerUsersSid = (PSID)RtlAllocateHeap(RtlProcessHeap(), 0, SidWithTwoSubAuthorities);
  587. SeAliasAccountOpsSid = (PSID)RtlAllocateHeap(RtlProcessHeap(), 0, SidWithTwoSubAuthorities);
  588. SeAliasSystemOpsSid = (PSID)RtlAllocateHeap(RtlProcessHeap(), 0, SidWithTwoSubAuthorities);
  589. SeAliasPrintOpsSid = (PSID)RtlAllocateHeap(RtlProcessHeap(), 0, SidWithTwoSubAuthorities);
  590. SeAliasBackupOpsSid = (PSID)RtlAllocateHeap(RtlProcessHeap(), 0, SidWithTwoSubAuthorities);
  591. SeAliasReplicatorSid = (PSID)RtlAllocateHeap(RtlProcessHeap(), 0, SidWithTwoSubAuthorities);
  594. //
  595. // Fail initialization if we didn't get enough memory for the NT SIDs.
  596. //
  598. if ( (SeNtAuthoritySid == NULL) ||
  599. (SeDialupSid == NULL) ||
  600. (SeNetworkSid == NULL) ||
  601. (SeBatchSid == NULL) ||
  602. (SeInteractiveSid == NULL) ||
  603. (SeServiceSid == NULL) ||
  604. (SeLocalGuestSid == NULL) ||
  605. (SeLocalSystemSid == NULL) ||
  606. (SeLocalAdminSid == NULL) ||
  607. (SeLocalManagerSid == NULL) ||
  608. (SeAliasAdminsSid == NULL) ||
  609. (SeAliasUsersSid == NULL) ||
  610. (SeAliasGuestsSid == NULL) ||
  611. (SeAliasPowerUsersSid == NULL) ||
  612. (SeAliasAccountOpsSid == NULL) ||
  613. (SeAliasSystemOpsSid == NULL) ||
  614. (SeAliasReplicatorSid == NULL) ||
  615. (SeAliasPrintOpsSid == NULL) ||
  616. (SeAliasBackupOpsSid == NULL)
  617. ) {
  619. return( FALSE );
  620. }
  622. RtlInitializeSid( SeNtAuthoritySid, &SeNtAuthority, 0 );
  623. RtlInitializeSid( SeDialupSid, &SeNtAuthority, 1 );
  624. RtlInitializeSid( SeNetworkSid, &SeNtAuthority, 1 );
  625. RtlInitializeSid( SeBatchSid, &SeNtAuthority, 1 );
  626. RtlInitializeSid( SeInteractiveSid, &SeNtAuthority, 1 );
  627. RtlInitializeSid( SeServiceSid, &SeNtAuthority, 1 );
  628. RtlInitializeSid( SeLocalGuestSid, &SeNtAuthority, 1 );
  629. RtlInitializeSid( SeLocalSystemSid, &SeNtAuthority, 1 );
  630. RtlInitializeSid( SeLocalAdminSid, &SeNtAuthority, 1 );
  631. RtlInitializeSid( SeLocalManagerSid, &SeNtAuthority, 1 );
  633. RtlInitializeSid( SeAliasAdminsSid, &SeNtAuthority, 2);
  634. RtlInitializeSid( SeAliasUsersSid, &SeNtAuthority, 2);
  635. RtlInitializeSid( SeAliasGuestsSid, &SeNtAuthority, 2);
  636. RtlInitializeSid( SeAliasPowerUsersSid, &SeNtAuthority, 2);
  637. RtlInitializeSid( SeAliasAccountOpsSid, &SeNtAuthority, 2);
  638. RtlInitializeSid( SeAliasSystemOpsSid, &SeNtAuthority, 2);
  639. RtlInitializeSid( SeAliasPrintOpsSid, &SeNtAuthority, 2);
  640. RtlInitializeSid( SeAliasBackupOpsSid, &SeNtAuthority, 2);
  641. RtlInitializeSid( SeAliasReplicatorSid, &SeNtAuthority, 2);
  644. *(RtlSubAuthoritySid( SeDialupSid, 0 )) = SECURITY_DIALUP_RID;
  645. *(RtlSubAuthoritySid( SeNetworkSid, 0 )) = SECURITY_NETWORK_RID;
  646. *(RtlSubAuthoritySid( SeBatchSid, 0 )) = SECURITY_BATCH_RID;
  647. *(RtlSubAuthoritySid( SeInteractiveSid, 0 )) = SECURITY_INTERACTIVE_RID;
  648. *(RtlSubAuthoritySid( SeServiceSid, 0 )) = SECURITY_SERVICE_RID;
  649. // *(RtlSubAuthoritySid( SeLocalGuestSid, 0 )) = SECURITY_LOCAL_GUESTS_RID;
  650. *(RtlSubAuthoritySid( SeLocalSystemSid, 0 )) = SECURITY_LOCAL_SYSTEM_RID;
  651. // *(RtlSubAuthoritySid( SeLocalAdminSid, 0 )) = SECURITY_LOCAL_ADMIN_RID;
  652. // *(RtlSubAuthoritySid( SeLocalManagerSid, 0 )) = SECURITY_LOCAL_MANAGER_RID;
  655. *(RtlSubAuthoritySid( SeAliasAdminsSid, 0 )) = SECURITY_BUILTIN_DOMAIN_RID;
  656. *(RtlSubAuthoritySid( SeAliasUsersSid, 0 )) = SECURITY_BUILTIN_DOMAIN_RID;
  657. *(RtlSubAuthoritySid( SeAliasGuestsSid, 0 )) = SECURITY_BUILTIN_DOMAIN_RID;
  658. *(RtlSubAuthoritySid( SeAliasPowerUsersSid, 0 )) = SECURITY_BUILTIN_DOMAIN_RID;
  659. *(RtlSubAuthoritySid( SeAliasAccountOpsSid, 0 )) = SECURITY_BUILTIN_DOMAIN_RID;
  660. *(RtlSubAuthoritySid( SeAliasSystemOpsSid, 0 )) = SECURITY_BUILTIN_DOMAIN_RID;
  661. *(RtlSubAuthoritySid( SeAliasPrintOpsSid, 0 )) = SECURITY_BUILTIN_DOMAIN_RID;
  662. *(RtlSubAuthoritySid( SeAliasBackupOpsSid, 0 )) = SECURITY_BUILTIN_DOMAIN_RID;
  663. *(RtlSubAuthoritySid( SeAliasReplicatorSid, 0 )) = SECURITY_BUILTIN_DOMAIN_RID;
  665. *(RtlSubAuthoritySid( SeAliasAdminsSid, 1 )) = DOMAIN_ALIAS_RID_ADMINS;
  666. *(RtlSubAuthoritySid( SeAliasUsersSid, 1 )) = DOMAIN_ALIAS_RID_USERS;
  667. *(RtlSubAuthoritySid( SeAliasGuestsSid, 1 )) = DOMAIN_ALIAS_RID_GUESTS;
  668. *(RtlSubAuthoritySid( SeAliasPowerUsersSid, 1 )) = DOMAIN_ALIAS_RID_POWER_USERS;
  669. *(RtlSubAuthoritySid( SeAliasAccountOpsSid, 1 )) = DOMAIN_ALIAS_RID_ACCOUNT_OPS;
  670. *(RtlSubAuthoritySid( SeAliasSystemOpsSid, 1 )) = DOMAIN_ALIAS_RID_SYSTEM_OPS;
  671. *(RtlSubAuthoritySid( SeAliasPrintOpsSid, 1 )) = DOMAIN_ALIAS_RID_PRINT_OPS;
  672. *(RtlSubAuthoritySid( SeAliasBackupOpsSid, 1 )) = DOMAIN_ALIAS_RID_BACKUP_OPS;
  673. *(RtlSubAuthoritySid( SeAliasReplicatorSid, 1 )) = DOMAIN_ALIAS_RID_REPLICATOR;
  675. return( TRUE );
  676. }
  679. /*****************************************************************************
  680. *
  681. * xxxLookupBuiltinAccount
  682. *
  683. * Wrapper to lookup the SID for a given built in account name
  684. *
  685. * Returns a pointer to the SID in newly allocated memory
  686. *
  687. * ENTRY:
  688. * Param1 (input/output)
  689. * Comments
  690. *
  691. * EXIT:
  692. * STATUS_SUCCESS - no error
  693. *
  694. ****************************************************************************/
  696. BOOL
  697. xxxLookupBuiltinAccount(
  698. PWCHAR pSystemName,
  699. PWCHAR pAccountName,
  700. PSID *ppSid
  701. )
  702. {
  703. USHORT SidLen;
  704. SID_NAME_USE Type;
  705. PSID pSid = NULL;
  707. if( _wcsicmp( L"NULL_SID", pAccountName ) == 0 ) {
  708. pSid = SeNullSid;
  709. Type = SidTypeInvalid;
  710. }
  712. if( pSid == NULL ) {
  713. SetLastError( ERROR_NONE_MAPPED );
  714. return( FALSE );
  715. }
  717. SidLen = (USHORT)GetLengthSid( pSid );
  718. *ppSid = LocalAlloc(LMEM_FIXED, SidLen );
  719. if( *ppSid == NULL ) {
  720. SetLastError( ERROR_INSUFFICIENT_BUFFER );
  721. return( FALSE );
  722. }
  724. RtlMoveMemory( *ppSid, pSid, SidLen );
  726. return( TRUE );
  728. #ifdef notdef
  730. if( EqualSid( SeNullSid, pSid ) ) {
  731. pName = L"NULL_SID";
  732. Type = SidTypeInvalid;
  733. }
  735. if( EqualSid( SeWorldSid, pSid ) ) {
  736. pName = L"WORLD";
  737. Type = SidTypeWellKnownGroup;
  738. }
  740. if( EqualSid( SeLocalSid, pSid ) ) {
  741. pName = L"LOCAL_ACCOUNT";
  742. Type = SidTypeWellKnownGroup;
  743. }
  745. if( EqualSid( SeCreatorOwnerSid, pSid ) ) {
  746. pName = L"CREATOR_OWNER";
  747. Type = SidTypeWellKnownGroup;
  748. }
  750. if( EqualSid( SeCreatorGroupSid, pSid ) ) {
  751. pName = L"CREATOR_GROUP";
  752. Type = SidTypeWellKnownGroup;
  753. }
  755. //
  756. // Look at the NT SIDS
  757. //
  759. if( EqualSid( SeNtAuthoritySid, pSid ) ) {
  760. pName = L"NTAUTHORITY";
  761. Type = SidTypeWellKnownGroup;
  762. }
  764. if( EqualSid( SeDialupSid, pSid ) ) {
  765. pName = L"DIALUP";
  766. Type = SidTypeWellKnownGroup;
  767. }
  769. if( EqualSid( SeNetworkSid, pSid ) ) {
  770. pName = L"NETWORK";
  771. Type = SidTypeWellKnownGroup;
  772. }
  774. if( EqualSid( SeBatchSid, pSid ) ) {
  775. pName = L"BATCH";
  776. Type = SidTypeWellKnownGroup;
  777. }
  779. if( EqualSid( SeInteractiveSid, pSid ) ) {
  780. pName = L"INTERACTIVE";
  781. Type = SidTypeWellKnownGroup;
  782. }
  784. if( EqualSid( SeServiceSid, pSid ) ) {
  785. pName = L"SERVICE";
  786. Type = SidTypeWellKnownGroup;
  787. }
  789. if( EqualSid( SeLocalGuestSid, pSid ) ) {
  790. pName = L"LOCALGUEST";
  791. Type = SidTypeWellKnownGroup;
  792. }
  794. if( EqualSid( SeLocalSystemSid, pSid ) ) {
  795. pName = L"LOCALSYSTEM";
  796. Type = SidTypeWellKnownGroup;
  797. }
  799. if( EqualSid( SeLocalAdminSid, pSid ) ) {
  800. pName = L"LOCALADMIN";
  801. Type = SidTypeWellKnownGroup;
  802. }
  804. if( EqualSid( SeLocalManagerSid, pSid ) ) {
  805. pName = L"LOCALMANAGER";
  806. Type = SidTypeWellKnownGroup;
  807. }
  809. if( EqualSid( SeAliasAdminsSid, pSid ) ) {
  810. pName = L"ALIAS_ADMINS";
  811. Type = SidTypeAlias;
  812. }
  814. if( EqualSid( SeAliasUsersSid, pSid ) ) {
  815. pName = L"ALIAS_USERS";
  816. Type = SidTypeAlias;
  817. }
  819. if( EqualSid( SeAliasGuestsSid, pSid ) ) {
  820. pName = L"ALIAS_GUESTS";
  821. Type = SidTypeAlias;
  822. }
  824. if( EqualSid( SeAliasPowerUsersSid, pSid ) ) {
  825. pName = L"ALIAS_POWERUSERS";
  826. Type = SidTypeAlias;
  827. }
  829. if( EqualSid( SeAliasAccountOpsSid, pSid ) ) {
  830. pName = L"ALIAS_ACCOUNT_OPS";
  831. Type = SidTypeAlias;
  832. }
  834. if( EqualSid( SeAliasSystemOpsSid, pSid ) ) {
  835. pName = L"ALIAS_SYSTEM_OPS";
  836. Type = SidTypeAlias;
  837. }
  839. if( EqualSid( SeAliasPrintOpsSid, pSid ) ) {
  840. pName = L"ALIAS_PRINT_OPS";
  841. Type = SidTypeAlias;
  842. }
  844. if( EqualSid( SeAliasBackupOpsSid, pSid ) ) {
  845. pName = L"ALIAS_BACKUP_OPS";
  846. Type = SidTypeAlias;
  847. }
  849. if( EqualSid( SeAliasReplicatorSid, pSid ) ) {
  850. pName = L"ALIAS_REPLICATOR";
  851. Type = SidTypeAlias;
  852. }
  853. #endif
  854. }
  856. /*****************************************************************************
  857. *
  858. * GetSecureAcl
  859. *
  860. * Comment
  861. *
  862. * ENTRY:
  863. * Param1 (input/output)
  864. * Comments
  865. *
  866. * EXIT:
  867. * STATUS_SUCCESS - no error
  868. *
  869. ****************************************************************************/
  871. PACL
  872. GetSecureAcl()
  873. {
  874. return( pAdminsOnlyAcl );
  875. }
  877. /*****************************************************************************
  878. *
  879. * BuildSecureAcl
  880. *
  881. * Comment
  882. *
  883. * ENTRY:
  884. * Param1 (input/output)
  885. * Comments
  886. *
  887. * EXIT:
  888. * STATUS_SUCCESS - no error
  889. *
  890. ****************************************************************************/
  892. BOOL
  893. BuildSecureAcl()
  894. {
  895. BOOL rc;
  896. DWORD Index, Error;
  897. PADMIN_ACCOUNTS p;
  898. DWORD AclSize;
  899. PACL pAcl = NULL;
  900. PACCESS_ALLOWED_ACE pAce = NULL;
  902. /*
  903. * Calculate the ACL size
  904. */
  905. AclSize = sizeof(ACL);
  907. //
  908. // Reserve memory for the deny ACE's
  909. //
  910. for( Index = 0; Index < DenyAccountEntries; Index++ ) {
  912. p = &DenyAccounts[Index];
  914. if( p->pSid ) {
  915. AclSize += sizeof(ACCESS_DENIED_ACE);
  916. AclSize += (GetLengthSid( p->pSid ) - sizeof(DWORD));
  917. }
  918. }
  920. //
  921. // Reserve memory for the allowed ACE's
  922. //
  923. for( Index = 0; Index < AllowAccountEntries; Index++ ) {
  925. p = &AllowAccounts[Index];
  927. if( p->pSid ) {
  928. AclSize += sizeof(ACCESS_ALLOWED_ACE);
  929. AclSize += (GetLengthSid( p->pSid ) - sizeof(DWORD));
  930. }
  931. }
  933. pAcl = LocalAlloc( LMEM_FIXED, AclSize );
  934. if( pAcl == NULL ) {
  935. DBGPRINT(("Could not allocate memory\n"));
  936. return( FALSE );
  937. }
  939. rc = InitializeAcl(
  940. pAcl,
  941. AclSize,
  942. ACL_REVISION
  943. );
  945. if( !rc ) {
  946. DBGPRINT(("Error %d InitializeAcl\n",GetLastError()));
  947. LocalFree( pAcl );
  948. return( FALSE );
  949. }
  951. /*
  952. * Add a deny all ACE for each account in the deny list
  953. */
  954. for( Index = 0; Index < DenyAccountEntries; Index++ ) {
  956. p = &DenyAccounts[Index];
  958. rc = AddAccessDeniedAce(
  959. pAcl,
  960. ACL_REVISION,
  961. FILE_ALL_ACCESS,
  962. p->pSid
  963. );
  965. if( !rc ) {
  966. Error = GetLastError();
  967. DBGPRINT(("***ERROR*** adding deny ACE %d for account %ws\n",Error,p->Name));
  968. }
  969. }
  971. /*
  972. * Add an allow all ACE for each account in the allow list
  973. */
  974. for( Index = 0; Index < AllowAccountEntries; Index++ ) {
  976. p = &AllowAccounts[Index];
  978. rc = AddAccessAllowedAce(
  979. pAcl,
  980. ACL_REVISION,
  981. FILE_ALL_ACCESS,
  982. p->pSid
  983. );
  985. if( !rc ) {
  986. Error = GetLastError();
  987. DBGPRINT(("***ERROR*** adding allow ACE %d for account %ws\n",Error,p->Name));
  988. }
  989. }
  991. pAdminsOnlyAcl = pAcl;
  992. AdminsOnlyAclSize = AclSize;
  994. //
  995. // Put the inherit flags on the ACE's
  996. //
  997. for( Index=0; Index < pAcl->AceCount; Index++ ) {
  999. rc = GetAce( pAcl, Index, (PVOID)&pAce );
  1000. if( !rc ) {
  1001. continue;
  1002. }
  1004. pAce->Header.AceFlags |= (CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE);
  1005. }
  1007. return( TRUE );
  1008. }
  1010. /*****************************************************************************
  1011. *
  1012. * GetLocalAdminSid
  1013. *
  1014. * Comment
  1015. *
  1016. * ENTRY:
  1017. * Param1 (input/output)
  1018. * Comments
  1019. *
  1020. * EXIT:
  1021. * STATUS_SUCCESS - no error
  1022. *
  1023. ****************************************************************************/
  1025. PSID
  1026. GetLocalAdminSid()
  1027. {
  1028. return( SeLocalAdminSid );
  1029. }
  1031. /*****************************************************************************
  1032. *
  1033. * GetAdminSid
  1034. *
  1035. * Comment
  1036. *
  1037. * ENTRY:
  1038. * Param1 (input/output)
  1039. * Comments
  1040. *
  1041. * EXIT:
  1042. *
  1043. ****************************************************************************/
  1045. PSID
  1046. GetAdminSid()
  1047. {
  1048. return( AllowAccounts[ADMIN_ACCOUNT].pSid );
  1049. }
  1051. /*****************************************************************************
  1052. *
  1053. * GetLocalAdminGroupSid
  1054. *
  1055. * Comment
  1056. *
  1057. * ENTRY:
  1058. * Param1 (input/output)
  1059. * Comments
  1060. *
  1061. * EXIT:
  1062. * STATUS_SUCCESS - no error
  1063. *
  1064. ****************************************************************************/
  1066. PSID
  1067. GetLocalAdminGroupSid()
  1068. {
  1069. return( SeAliasAdminsSid );
  1070. }
  1073. /*****************************************************************************
  1074. *
  1075. * GetLocalAdminGroupSid
  1076. *
  1077. * Comment
  1078. *
  1079. * ENTRY:
  1080. * Param1 (input/output)
  1081. * Comments
  1082. *
  1083. * EXIT:
  1084. * STATUS_SUCCESS - no error
  1085. *
  1086. ****************************************************************************/
  1088. BOOL CheckUserSid()
  1089. {
  1090. BOOL rc;
  1091. PSID pSid;
  1092. PSID pPrevSid;
  1094. rc = xxxLookupAccountName(
  1095. ComputerName,
  1096. AllowAccounts[USER_ACCOUNT].Name,
  1097. &pSid
  1098. );
  1100. if( !rc ) {
  1101. // It might be a special builtin account
  1102. rc = xxxLookupBuiltinAccount(
  1103. ComputerName,
  1104. AllowAccounts[USER_ACCOUNT].Name,
  1105. &pSid
  1106. );
  1107. }
  1109. pPrevSid = AllowAccounts[USER_ACCOUNT].pSid;
  1110. if (rc && (!pPrevSid || !EqualSid( pSid, pPrevSid ))) {
  1111. AllowAccounts[USER_ACCOUNT].pSid = pSid;
  1112. if (pAdminsOnlyAcl) {
  1113. LocalFree( pAdminsOnlyAcl );
  1114. pAdminsOnlyAcl = NULL;
  1115. AdminsOnlyAclSize = 0;
  1116. }
  1117. rc = BuildSecureAcl();
  1118. }
  1120. return(rc);
  1121. }